kuser: allow kinit to renew anonymous PKINIT tickets

Anonymous PKINIT tickets discard the realm information used to locate the issuing AS. Store the issuing realm in the credentials cache in order to locate a KDC which can renew them.
2019-05-21 15:18:16 +10:00
parent a7bb4504f2
commit d89b5cb966
2 changed files with 46 additions and 3 deletions
--- a/tests/kdc/check-kdc.in
+++ b/tests/kdc/check-kdc.in
@@ -737,9 +737,10 @@ fi
 if test "$pkinit" = yes -a "$rsa" = yes ; then

    echo "try anonymous pkinit"; > messages.log
-    ${kinit} -n @${R} || \
+    ${kinit} --renewable -n @${R} || \
 	{ ec=1 ; eval "${testfailed}"; }
    ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+    ${kinit} --renew || { ec=1 ; eval "${testfailed}"; }
    ${kdestroy}

    for type in "" "--pk-use-enckey"; do